fix(deps): update module github.com/docker/cli to v29 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/docker/cli	v28.3.1+incompatible → v29.2.0+incompatible

GitHub Vulnerability Alerts

CVE-2025-15558

This issue affects Docker CLI through 29.1.5

Impact

Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user.

This issue affects Docker CLI through v29.1.5 (fixed in v29.2.0). It impacts Windows binaries acting as a CLI plugin manager via the github.com/docker/cli/cli-plugins/manager package, which is consumed by downstream projects such as Docker Compose.

Docker Compose became affected starting in v2.31.0, when it incorporated the relevant CLI plugin manager code (see https://github.com/docker/compose/pull/12300), and is fixed in v5.1.0.

This issue does not impact non-Windows binaries or projects that do not use the plugin manager code.

Patches

Fixed version starts with 29.2.0

This issue was fixed in docker/cli@1375933 (https://github.com/docker/cli/pull/6713), which removed %PROGRAMDATA%\Docker\cli-plugins from the list of paths used for plugin-discovery on Windows.

Workarounds

None

Resources

• Pull request: "cli-plugins/manager: remove legacy system-wide cli-plugin path" (https://github.com/docker/cli/pull/6713)
• Patch: https://github.com/docker/cli/commit/13759330b1f7e7cb0d67047ea42c5482548ba7fa.patch

Credits

Nitesh Surana (niteshsurana.com) of Trend Research of TrendAI

---

Release Notes

docker/cli (github.com/docker/cli)

v29.2.0+incompatible

Compare Source

v29.1.5+incompatible

Compare Source

v29.1.4+incompatible

Compare Source

v29.1.3+incompatible

Compare Source

v29.1.2+incompatible

Compare Source

v29.1.1+incompatible

Compare Source

v29.1.0+incompatible

Compare Source

v29.0.4+incompatible

Compare Source

v29.0.3+incompatible

Compare Source

v29.0.2+incompatible

Compare Source

v29.0.1+incompatible

Compare Source

v29.0.0+incompatible

Compare Source

v28.5.2+incompatible

Compare Source

v28.5.1+incompatible

Compare Source

v28.5.0+incompatible

Compare Source

v28.4.0+incompatible

Compare Source

v28.3.3+incompatible

Compare Source

v28.3.2+incompatible

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 16 additional dependencies were updated

Details:

Package	Change
github.com/stretchr/testify	v1.10.0 -> v1.11.1
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
github.com/docker/go-connections	v0.5.0 -> v0.6.0
github.com/grpc-ecosystem/grpc-gateway/v2	v2.20.0 -> v2.24.0
go.opentelemetry.io/otel	v1.36.0 -> v1.41.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.19.0 -> v1.33.0
go.opentelemetry.io/otel/metric	v1.36.0 -> v1.41.0
go.opentelemetry.io/otel/trace	v1.36.0 -> v1.41.0
go.opentelemetry.io/proto/otlp	v1.3.1 -> v1.4.0
golang.org/x/net	v0.28.0 -> v0.41.0
golang.org/x/term	v0.23.0 -> v0.32.0
golang.org/x/text	v0.17.0 -> v0.26.0
golang.org/x/time	v0.5.0 -> v0.11.0
google.golang.org/genproto/googleapis/api	v0.0.0-20240814211410-ddb44dafa142 -> v0.0.0-20241209162323-e6fa225c2576
google.golang.org/genproto/googleapis/rpc	v0.0.0-20240903143218-8af14fe29dc1 -> v0.0.0-20241209162323-e6fa225c2576
google.golang.org/grpc	v1.67.0 -> v1.68.1

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: downloading github.com/google/go-containerregistry v0.20.6
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading github.com/spf13/cobra v1.9.1
go: downloading golang.org/x/mod v0.25.0
go: downloading github.com/docker/go-connections v0.5.0
go: downloading github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
go: downloading github.com/spf13/viper v1.18.2
go: downloading sigs.k8s.io/yaml v1.4.0
go: downloading k8s.io/client-go v0.30.2
go: downloading github.com/docker/go-units v0.5.0
go: downloading github.com/stretchr/testify v1.10.0
go: downloading github.com/go-test/deep v1.1.0
go: downloading github.com/goodhosts/hostsfile v0.1.6
go: downloading github.com/imdario/mergo v0.3.14
go: downloading github.com/mitchellh/copystructure v1.2.0
go: downloading github.com/rancher/wharfie v0.6.2
go: downloading go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
go: downloading golang.org/x/sync v0.15.0
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
go: downloading github.com/xeipuuv/gojsonschema v1.2.0
go: downloading gotest.tools v2.2.0+incompatible
go: downloading github.com/docker/cli v29.2.0+incompatible
go: downloading github.com/docker/docker v28.3.1+incompatible
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/spf13/pflag v1.0.6
go: downloading github.com/mitchellh/go-homedir v1.1.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading golang.org/x/sys v0.33.0
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/fsnotify/fsnotify v1.7.0
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading github.com/sagikazarmark/locafero v0.4.0
go: downloading github.com/sagikazarmark/slog-shim v0.1.0
go: downloading github.com/spf13/afero v1.11.0
go: downloading github.com/spf13/cast v1.6.0
go: downloading golang.org/x/term v0.23.0
go: downloading k8s.io/apimachinery v0.30.2
go: downloading k8s.io/klog/v2 v2.120.1
go: downloading github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
go: downloading github.com/dimchansky/utfbom v1.1.1
go: downloading github.com/magefile/mage v1.15.0
go: downloading github.com/mitchellh/reflectwalk v1.0.2
go: downloading go.uber.org/multierr v1.9.0
go: downloading github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
go: downloading github.com/google/go-cmp v0.7.0
go: downloading github.com/distribution/reference v0.6.0
go: downloading github.com/google/uuid v1.6.0
go: downloading github.com/moby/term v0.5.2
go: downloading github.com/morikuni/aec v1.0.0
go: downloading go.opentelemetry.io/otel v1.36.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.28.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0
go: downloading go.opentelemetry.io/otel/metric v1.36.0
go: downloading go.opentelemetry.io/otel/sdk v1.36.0
go: downloading go.opentelemetry.io/otel/sdk/metric v1.36.0
go: downloading go.opentelemetry.io/otel/trace v1.36.0
go: downloading github.com/moby/docker-image-spec v1.3.1
go: downloading github.com/opencontainers/image-spec v1.1.1
go: downloading github.com/opencontainers/go-digest v1.0.0
go: downloading github.com/containerd/errdefs v1.0.0
go: downloading github.com/containerd/errdefs/pkg v0.3.0
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0
go: downloading github.com/moby/go-archive v0.1.0
go: downloading github.com/docker/distribution v2.8.3+incompatible
go: downloading github.com/containerd/stargz-snapshotter/estargz v0.16.3
go: downloading github.com/sourcegraph/conc v0.3.0
go: downloading golang.org/x/exp v0.0.0-20230905200255-921286631fa9
go: downloading golang.org/x/text v0.17.0
go: downloading github.com/subosito/gotenv v1.6.0
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading gopkg.in/ini.v1 v1.67.0
go: downloading github.com/magiconair/properties v1.8.7
go: downloading github.com/pelletier/go-toml/v2 v2.1.0
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.4.1
go: downloading golang.org/x/net v0.28.0
go: downloading github.com/go-logr/logr v1.4.3
go: downloading go.uber.org/atomic v1.9.0
go: downloading github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb
go: downloading github.com/docker/docker-credential-helpers v0.9.3
go: downloading github.com/fvbommel/sortorder v1.1.0
go: downloading github.com/moby/sys/atomicwriter v0.1.0
go: downloading github.com/mattn/go-runewidth v0.0.16
go: downloading go.opentelemetry.io/proto/otlp v1.3.1
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1
go: downloading google.golang.org/grpc v1.67.0
go: downloading github.com/Microsoft/go-winio v0.6.2
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading github.com/moby/sys/user v0.4.0
go: downloading github.com/containerd/log v0.1.0
go: downloading github.com/moby/patternmatcher v0.6.0
go: downloading github.com/moby/sys/sequential v0.6.0
go: downloading github.com/moby/sys/userns v0.1.0
go: downloading github.com/klauspost/compress v1.18.0
go: downloading github.com/vbatts/tar-split v0.12.1
go: downloading sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/google/gofuzz v1.2.0
go: downloading golang.org/x/oauth2 v0.30.0
go: downloading golang.org/x/time v0.5.0
go: downloading github.com/rivo/uniseg v0.2.0
go: downloading github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading go.opentelemetry.io/auto/sdk v1.1.0
go: downloading github.com/cenkalti/backoff/v4 v4.3.0
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0
go: downloading google.golang.org/protobuf v1.36.3
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142
go: downloading github.com/moby/moby/api v1.54.0
go: downloading github.com/moby/moby v28.5.2+incompatible
go: downloading github.com/moby/moby/client v0.3.0
go: downloading go.opentelemetry.io/otel v1.42.0
go: downloading go.opentelemetry.io v0.1.0
go: downloading github.com/docker/go-connections v0.6.0
go: downloading golang.org/x/time v0.11.0
go: github.com/k3d-io/k3d/v5/pkg/runtimes/docker imports
	github.com/docker/cli/cli/command imports
	go.opentelemetry.io/otel/semconv/v1.37.0: cannot find module providing package go.opentelemetry.io/otel/semconv/v1.37.0
go: downloading github.com/creack/pty v1.1.24